Vendor Risk Management

4 Important Vendor Risk Management Principles For Security Managers

Melissa Stevens | August 18, 2016

Organizations today aren’t single entities—they are interconnected networks of third parties. And while third party relations are critical for success in most businesses, they also leave data more vulnerable to exposure from bad actors. Because of this, vendor risk management (VRM) is becoming an even more important business practice. 

Below, we’ve outlined four critical principles all security managers should keep in mind when it comes to vendor risk management.

The 4 Most Important Vendor Risk Management Principles For Security Managers

1. Know which vendors have your critical data. 

Fact: You cannot treat all of your vendors equally. Your organization doesn’t have unlimited resources or the ability to scale infinitely, so you need a solid method for vendor evaluations to follow. The cornerstone of managing third parties is placing as much effort as possible into the vendors that are managing, processing, or storing your most critical data.

First, consider your data criticality: Which vendors are handling the most valuable data in your organization? Second, consider your critical services: Which vendors host a critical service for you that isn’t protected or regulated well? Once you evaluate these questions, you should be able to determine where you want to spend the majority of your time and which vendors to prioritize in terms of vendor risk management.

Make your vendor risk management process extremely efficient by using these tools and techniques.


2. Verify that the security posture of the vendor is equal to or better than your own.

Most organizations begin their vendor evaluation processes by reviewing compliance reports from governing bodies like ISO, NIST, or SOC2. These reports are simple communication vehicles that give you a glimpse at the vendor’s current cybersecurity posture.

The problem is, these reports are often subjective, unverifiable, and unactionable—a triple threat against proper vendor risk management principles. What’s more, the reports are subject to human fallibility, misunderstanding, misinterpretation, and error, and they can eat away at time from both parties involved.

Therefore, many modern organizations are turning to publicly observable metrics, which  identify and verify the technical controls a vendor has in place. These metrics are typically mapped to public IP addresses. Signs like poor configurations or a vendor’s public IP address base talking to known malicious sites are indicators that the vendor’s security posture may not be up to par. This is similar to home security: A home with no locks and broken windows is easier to break into than one that is meticulously maintained and updated with the right security tools.

Solutions like BitSight Security Ratings allow first-party organizations to quickly and easily review their vendors without having to request anything from the third party. These solutions take a time-consuming data collection process and make it as easy as logging into a portal and reviewing a security rating.

3. Ensure that you review third party holistically.

When contracting with a new vendor, you want to be sure that you have the business’s best interests in mind—and this means collaborating across departments and internal groups.

You have to keep in mind that information security and data privacy aren’t the only things that a vendor is analyzed on—legal, finance, and human resources are also important areas of supplier onboarding. For example, if a vendor performs poorly in information security but well in all other categories, you may still choose to work with them. Why? Perhaps they don’t house any critical data or perform any critical services, and a partnership would be mutually beneficial. Conversely, a vendor may perform very highly in information security, but legal or finance is unwilling to accept a particular contractual term. In this instance, it’s important for all parties to look at the business as a whole—not just at their individual disciplines—for the betterment of the company.

4. Trust but verify.

This age-old adage still rings true. Vendor risk management is an evaluation of a continual relationship, not an evaluation of a specific point in time. But without the proper tools, there’s no way to know how the posture of a vendor changes after you’ve signed a contract. With continuous risk monitoring solutions like BitSight Security Ratings, you’re able to consistently and regularly see how the vendor’s security posture is changing and help mitigate the risk to your own data and network.

In Summary

Vendor risk management must be a priority for all security managers. If you don’t do your due diligence on a vendor before signing on the dotted line, you may be setting yourself up for an information security disaster.

Because this process can be both lengthy and intimidating, we’ve created a guide for security managers that covers the following:

  • Basic questions you need to ask all vendors.
  • Actionable risk vectors and configurations to keep in mind.
  • The impact of continuous risk monitoring software.

Download the guide today to get your vendor risk management program running quickly and smoothly.


Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.